audit india
Post on 06-Apr-2018
219 Views
Preview:
TRANSCRIPT
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 1/25
Formulation of IT Auditing Standards
IT Audit Seminar organized by National Audit Office, China
1 to 4 September 2004
Paper on “Formulation of IT Auditing Standards”
By -- Ms.Puja S Mandol and Ms. Monika Verma
Supreme Audit Institution of India
Introduction
The use of computers and computer based information systems have pervaded
deep and wide in every modern day organization. An organization must exercise control
over these computer based information systems because the cost of errors and
irregularities that may arise in these systems can be high and can even challenge the
very existence of the organization. An organizations ability to survive can be severely
undermined through corruption or destruction of its database; decision making errors
caused by poor-quality information systems; losses incurred through computer abuses;
loss of computer assets and their control on how the computers are used within the
organization. Therefore managements across the world have deployed specialized
auditors to audit their information systems to find out gaps between declared policies
and actual use and shortcomings in the information system design and usage.
Information Systems Audit is the process of collecting and evaluating evidence
to determine whether a computer system has been designed to maintain data integrity,
safeguard assets, allows organizational goals to be achieved effectively and uses the
resources efficiently.
The IS Auditor should see that not only adequate internal controls exist in the
system but they also wok effectively to ensure results and achieve objectives. Internal
controls should be commensurate with the risk assessed so as to reduce the impact of
identified risks to acceptable levels. IT Auditors need to evaluate the adequacy of
internal controls in computer systems to mitigate the risk of loss due to errors, fraud and
other acts and disasters or incidents that cause the system to be unavailable
Supreme Audit Institution, India1
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 2/25
Formulation of IT Auditing Standards
Auditing Standards for auditing Information Systems
The specialized nature of Information Systems auditing and the professional
skills and credibility necessary to perform such audits, require standards that wouldapply specifically to IS auditing. Standards, procedures and guidelines have been issued
by various institutions, which discuss the way the auditor should go about auditing
Information Systems.
In line with such developments Supreme Audit Institution of India has declared
a mission to adopt and evolve standards, guidelines and best practices for auditing in a
computerized environment. This will lend credibility and clarity in conducting audit in
computerized environment.The framework for the IS Auditing Standards provides multiple levels of
guidance. Standards provide a framework for all audits and auditors and define the
mandatory requirements of the audit. They are broad statement of auditors’
responsibilities and ensure that auditors have the competence, integrity, objectivity and
independence in planning, conducting and reporting on their work. Guidelines provide
guidance in applying IS Auditing Standards. The IS auditor should consider them in
determining how to achieve implementation of the standards, use professional judgment
in their application and be prepared to justify any departure. Procedures provide
examples of procedures an IS auditor might follow in an audit engagement. It provides
information on how to meet the standards when performing IS auditing work, but do not
set requirements. The objective of the IS Auditing Guidelines and Procedures is to
provide further information on how to comply with the IS Auditing Standards.
While conducting Information System Audit the auditor should consider the
issues of confidentiality, integrity and availability (CIA) and his work should be guided
by international or respective national standards. These may include INTOSAI Auditing
Standards, International Federation of Accountants (IFAC) Auditing Standards,
International standards of professional audit institutions such as Information Systems
Audit and Control Association (ISACA) and Institute of Internal auditors (IIA) and
national auditing standards of SAI member countries.
Supreme Audit Institution, India2
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 3/25
Formulation of IT Auditing Standards
Information Systems Audit and Control Association (ISACA) has laid down the
following generic requirements for IS audit which are applicable to all categories of IS
audits –
1. The responsibility, authority and accountability of the information systems audit
function are to be appropriately documented in an audit.
2. The information systems auditor is to be independent of the auditee in attitude and
appearance.
3. The information systems auditor is to adhere to the ‘Code of Professional Ethics’.
Due professional care and observance of applicable professional auditing standards
are to be exercised.
4. The information systems auditor is to be technically competent, having the skills
and knowledge necessary to perform the auditor's work and has to maintain
technical competence through continuing professional education.
5. The information systems auditor is to plan his work to address the audit objectives.
6. Information systems audit staff is to be appropriately supervised so as to ensure that
audit objectives and applicable professional auditing standards are met. The audit
findings and conclusions are to be supported by appropriate analysis and
interpretation of sufficient, reliable, relevant and useful evidence.
7. The information systems auditor is to provide a report , in an appropriate form, to
intended recipients upon the completion of audit work.
8. The information systems auditor follow-up action timely taken on previous relevant
findings.
SAI India has adopted COBIT as a source of best practice guidance. The COBIT
framework gives an IS Auditor an understanding of business objectives, best practices
and recommends a commonly understood and well-respected standard reference. It
includes Control Objectives, Control Practices and Audit Guidelines, which provides
guidance for each control area on how to obtain an understanding, evaluate each
control, assess compliance, and substantiate the risk of controls not being met.
Supreme Audit Institution, India3
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 4/25
Formulation of IT Auditing Standards
Information Systems Security and Audit
Organizations in all sectors of the economy depend upon information systems
and communications networks, and share common requirements to protect sensitive
information. Organizations and professional bodies’ work towards establishing secure
information technology systems for protecting the integrity, confidentiality, reliability,
and availability of information.
Defining Security Audit
Information Systems Security Audit is an independent review and examination
of system records, activities and related documents to determine the adequacy of system
controls, ensure compliance with established security policy and approved operational
procedures, detect breaches in security so as to verify whether data integrity is
maintained, assets are safeguarded, organizational goals are achieved effectively and
resources are used efficiently. Security audit is a systematic, measurable technical
assessment of how security policies are built into the information systems.
Professionalism and credibility play a very important role in the auditor’s
performance of Information Systems Security Audit. He should have full knowledge of
the organization and its various functions, at times with considerable inside information.
The three fundamental features of an Information System that gets tested in
course of security audit are assessment of confidentiality, availability and integrity of
the information systems assets. The principle screening variables are various
conceivable physical and logical security threats.
The purpose of any audit will be essentially to examine three basic compliances
in terms of Confidentiality, Integrity and Availability (CIA) –
Supreme Audit Institution, India4
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 5/25
Formulation of IT Auditing Standards
• Confidentiality concerns the protection of sensitive information from
unauthorized disclosure. Keeping in view the level of sensitivity of the data
the stringency of controls over its access should be determined.
Integrity refers to ‘the accuracy and completeness of the
information as well as to its validity in accordance with business values and
expectations. It is an important audit objective as it provides assurance to
the management as well as the users that the information can be relied and
trusted upon. It also includes reliability, which refers to degree of
consistency of the system to function.
•
Availability relates to information and information systems beingavailable and operational when they are needed. It also concerns
safeguarding of necessary resources and associated capabilities. This
implies that the organization has measures in place to ensure business
continuity and timely recovery can be made in case of disasters.
Why is security audit important?
An organization is always subjected to a set of risks in every business and
project initiative it undertakes. These include Business Risk, Strategic Risk, Operational
Risk and Risk of legal non-compliance. The information systems, while they play
significant role in the strategic initiatives of organizations (be it an ERP in a large auto
company or be it an e-governance initiative) are also subjected to these risks.
Threats can be internal or external to the organization on one hand and a result
of some slippage or deliberate intrusion on the other. Thus besides safeguarding the
information system, a Security Audit protects the organization’s overall interests.
Standardizing Security Audit – Initiatives so far
Institutions and professional bodies all over the world have issued various
guidelines and best practices regarding Information System Security from time to time.
Supreme Audit Institution, India5
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 6/25
Formulation of IT Auditing Standards
British Standards (BS 7799) provides guidelines to organizations to identify, manage
and minimize the range of threats to which information is regularly subjected. These
include internal threats, external threats, accidents, malicious actions and industrial
sabotage.
International Organization for Standardization (ISO/IEC 17799) guidelines
state that the management should set a clear policy direction and demonstrate support
for, and commitment to, information security through the issue and maintenance of an
information security policy across the organization.
Center for Internet Security (CIS) has a mission to help organizations reduce the
risk of business and e-commerce disruptions resulting from inadequate technical
security controls. CIS benchmarks support high level standards that deal with the
"Why, Who, When, and Where" aspects of IT security by detailing "How" to secure an
ever widening array of workstations, servers, network devices, and software
applications in terms of technology specific controls.
Generally Accepted System Security Principles (GASSP) (which is sponsored
by the International Information Security Foundation (I2SF) promotes good practice and
provide the authoritative point of reference and legal reference for information security
principles, practices and opinions.
National Institute of Standards and Technology (NIST) has published
guidelines to provide a standardized approach for assessing the effectiveness of the
management, operational, and technical security controls in an information system and
for determining the business or mission risk to an agency's operations and assets
brought about by the operation of that system. Under the Computer Security Act of
1987 (P.L. 100-235), the Computer Security Division of the Information TechnologyLaboratory (ITL) develops computer security prototypes, tests, standards, and
procedures to protect sensitive information from unauthorized access or modification.
Focus areas include cryptographic technology and applications, advanced
authentication, public key infrastructure, internetworking security, criteria and
assurance, and security management and support. The NIST IPsec Project is concerned
with providing authentication, integrity and confidentiality security services at the
Supreme Audit Institution, India6
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 7/25
Formulation of IT Auditing Standards
Internet (IP) Layer, for both the current IP protocol (IPv4) and the next generation IP
protocol (IPv6).
Commonly Accepted Security Practices & Recommendations (CASPR)
provides advice about how to use technologies, products, and methodologies to secure
the IT environment, through papers written and vetted by a community of experts.
Bureau of Indian Standards (BIS) describes Information Security Policy as one
of the main responsibilities of the management of an organization and thus is a pointer
to the roles and functions of the auditor. It talks about identifying all business critical
information and evaluating their existing classification, risk assessment, reviewing the
security controls to mitigate the risks and suggesting improvements in the Information
Security Management System.
Legal enactments
In 1996, United Nations Commission on International Trade Law (UNCITRAL)
adopted Model Law on Electronic Commerce. The Model Law facilitates the use of
modern means of communications and storage of information, such as electronic data
interchange (EDI), electronic mail and telecopy, with or without the use of paper-based
concepts such as “writing”, “signature” or “original”. The General Assembly of the
United Nations by resolution on 30th January 1997 adopted the Model Law on
Electronic Commerce. This resolution recommended inter alia that all States should
give favorable consideration to the said Model Law when they enact or revise their
laws, in view of the need for uniformity of the law applicable to alternatives to paper-
based methods of communication and storage of information.In India the IT Act 2000 has provided legal recognition for transactions carried
out by means of electronic data interchange and other means of electronic
communication, which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents
with the Government agencies.
Standards for auditing Information Systems Security
Supreme Audit Institution, India7
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 8/25
Formulation of IT Auditing Standards
In addition the generic auditing standards to be followed while auditing an
Information Systems, guidelines, practices or benchmarks are necessary to specifically
address issues relating to audit of Information Systems Security. We will discuss this
issue in respect of three distinct domains of Information System Security viz.
Operations System Security, Telecommunication System or Networking Security and
Access Control Security which are the sub-themes in this seminar.
1. Operational Systems Security
Operational Systems Security Audit is a process to evaluate the security features
of an information system in an organization. This includes examining the internal
controls within the system and to what extent are they effective in achieving the
objectives of safeguarding of assets and of data integrity and availability. These controls
could be preventive, detective, corrective or response-based in nature. The following
specific areas come under the scope of a comprehensive security audit of the
operational system – Organizational Security, Asset classification and control, Physical
and Environmental Security, Personnel security, System Development and
Maintenance, Business Continuity Management policies and Compliance to legal
framework.
The auditor should examine the following issues in respect of procedures and
policies laid down by the organization –
a. Organizational security –Auditor should check that the management has
defined a security policy and is committed to implementation of the same,
continuously improve upon its effectiveness, spreading awareness among the
users and ensuring availability of resources. He should examine how clearly and
appropriately the mission statement defines the purpose and goals of the policy
to preserve the confidentiality, integrity and availability of computing resources.
He should see that–
i. The comprehensive security policy approved by the management is in place,
documented and communicated to and understood by all concerned.
ii. It defines clearly the responsibilities of the members of the organizations.
Supreme Audit Institution, India8
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 9/25
Formulation of IT Auditing Standards
iii. The policy is reviewed regularly and amended if required with appropriate
authorization.
iv. The procedures are documented and followed as laid down.
v. Adequate controls are in place to ensure the security of organization
information processing facilities and assets either accessed by third parties or
outsourced.
vi. The policies and procedures are having their intended effect and the
confidentiality, integrity and availability of the system and data are
maintained and assets are safeguarded.
b. Asset classification and control – Auditor should examine the classification
system adopted to maintain appropriate protection of organizational assets both
physical and logical. These models classify the assets and information into
various levels, which describes that who will be allowed access to what resource
classifications. For e.g. in military circles, it is common for information to be
classified into five levels viz. top secret, secret, confidential, restricted and
unclassified and accordingly their information also mirror the principles which
are in practice. Access information at each level is decided as per the need- to-
know principle. The level of controls required, determines how elaborate a
classification should be.
Similarly with reference to the network where there are multiple users, at
multiple destinations, including those outside the organization, the IS auditor
should examine whether the terminals or network elements are classified
appropriately, say for example a company deploys an IP system, with what
rationale the network contents are classified as unclassified, shared, company
only and confidential. There can be alternative classification systems.The auditor would need to map these classifications with segregation of
duties, creation of users, access levels as defined by the organization. The
auditor should study the following issues:
i. Inventory of all the assets is maintained and is kept up to date – both
hardcopy as well as electronically.
Supreme Audit Institution, India9
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 10/25
Formulation of IT Auditing Standards
ii. The database of the information assets is maintained along with the
designated owner of the asset.
iii. Classified information is labeled, stored and handled strictly in accordance
with the classification level assigned to that information.
c. Personnel Security – The auditor should satisfy himself with respect to the
organization’s policy to include security roles in job description, making it
binding on the employees and steps taken to make them aware of threats and
concerns. He should examine the comprehensiveness of the policy, whether it
addresses the issue of violations of the security policy by the employees. He
should make an attempt to address the following issues:
i. Is there a formal system for reporting and taking preventive and remedial
actions in place, which works towards minimizing the damage from such
incidents? Are the users following a formal incident response mechanism?
ii. Is there an Acceptable Use Policy for IT resources and are users complying
with the same?
iii. Is there a mechanism in place to defend the system against techno-
vandalism?
iv. What are the steps taken to make the users aware of the threats and
safeguards to the information system and the required remedial measures?
d. Physical and Environmental Security – The auditor should examine whether
the steps taken by the organization adequately prevent unauthorized physical
access and interference to the business premises and information assets and
prevent loss, damage or theft. To satisfy himself of the adequacy of procedures
in this respect, the auditor should see the following issues:
i. The equipments are maintained in accordance with the documented procedures.
ii. Secured areas are created with restricted physical access and guidelines are
given to conduct activities in these area.
iii. Logs of entry and exit are maintained in the system.
iv. Adequate steps are taken to secure equipments at other related sites.
Supreme Audit Institution, India10
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 11/25
Formulation of IT Auditing Standards
v. The equipments at site are protected from natural disasters like fire, flood,
earthquakes etc. and man-made disasters like terrorist attacks, power
problems etc.
vi. Necessary facilities like air-conditioning, dust-free environment are in
place for smooth functioning of the system.
vii. The equipments are supported by appropriate maintenance facilities from
qualified engineers.
e. Communications and Operations Management – Controls should be in place to
secure all the three stages of data communication viz. assembly, dispatch and
retrieval of the data in a network. The auditor should see if a multi-layered
security model consisting of some or all of the following: border router filtering,
firewalls, intrusion detection systems, domain based security system, host
protection, cryptography, physical security, incidence response, defined
standards and active monitoring and testing. Security standards would cover
examining operating systems, system software, servers, database, personnel,
application software, networking protocol etc.
f. System Development and Maintenance – Auditor should examine the extent to
which the security is embedded in the system during development of system and
support processes should be verified. Well-documented change control
procedures should also be in place for smooth maintenance of the application
system. Stringent controls are in place in respect of outsourced software
development and facility management.
g. Business Continuity Management – The auditor should review the disaster
recovery plan implemented by an organization to reduce the disruption caused
by security failures to an acceptable level. It should be time tested and includeclearly laid down preventive steps and recovery controls. This area of audit
addresses identification and reduction of risks associated, limiting the
consequences and ensuring timely resumption of essential operations. Disaster
recovery plans for network failures should be tested in advance and updated
periodically. Key personnel should be identified, who would be accessible at the
Supreme Audit Institution, India11
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 12/25
Formulation of IT Auditing Standards
time of any eventuality. All the users should also be aware of the plan and their
respective duties.
h. Compliance – The auditor should check the organizations’ compliance to
various applicable statutory, mandatory and contractual requirements concerning
design, operation, use and management of Information Systems including
intellectual property rights, use of licensed versions of all software in use along
with the operating systems, safeguarding and protection of organizational
records and data, prevention of misuse of information processing facilities,
collection of evidence for legal action and regulation of cryptographic controls.
It should also be checked whether organization performs regular checks for
technical compliance with security implementation standards and the provisions
of the Information Technology Act.
2. Telecommunications or Networking Security
The network systems encompass various communication network elements and
protocols deployed to carry data and information between various users and sites of the
information system. As the world becomes more networked and so are the
organizations, there is an increasing threat from intruders in the network who can
damage the information system, at times beyond repair. Thus an Information Systems
Auditor needs to find out the breaches in the security policy, which compromise the
Confidentiality, Integrity and Availability (CIA) of network security domain thereby
affecting the network performance.
In order to ensure that CIA triad is preserved the auditor should look into the
following issues:
Confidentiality
i. A clear description of the security attributes of all network services and
protocols used by the organization is clearly laid down.
ii. Routing controls exist to ensure that information flows across various nodes
of the network do not breach the access control policy of the application.
iii. The network layout and architecture and its interface with other external
networks are approved by the competent authority.
Supreme Audit Institution, India12
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 13/25
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 14/25
Formulation of IT Auditing Standards
xiv. The server is protected from unauthorized intrusion and malicious programs
using firewall and anti-virus programs.
xv. Non-repudiation services are used for important communications.
xvi. Procedures for incidence response are in place, which are indicative of an
organization’s preparedness to deal with threat situations.
xvii.The audit should see that a well-defined policy on use of network services
exist and users have access to services for which they have been authorized.
Availability
xviii. Fault tolerance for data availability is identified keeping in view the criticality of
the information.
xix. Regular exercises are undertaken to make relevant personnel familiar with the
computer incidents and breaches in security.
xx. Back-ups are taken as per the laid down policy by the designated officials,
periodically tested and record of the test is maintained. Back-ups are taken
in more than one sets and kept at a safe and secure place.
xxi. Operational network logs are maintained, analyzed and remedial action is
taken.
xxii. All servers, firewalls, routers and other mission critical workstations units have
back-up power supply.
3. Access Security
Access Security encompasses control on access to information, prevention of
unauthorized access to information systems, unauthorized user & computer access,
protection of network services, detection of unauthorized activities and providing
security during computing and teleworking processes. Audit of access security would
require an auditor to see whether the organization has defined and documented business
requirements for access control and an access control policy for restricted access.
Auditor should review the user access and information access management in the
organization in great detail to assess the adequacy of controls. The access controls
should be defined in the application at the time of its development and tested. In case of
Supreme Audit Institution, India14
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 15/25
Formulation of IT Auditing Standards
a third party maintenance or facility management the access should be defined in a way
so as not to compromise the CIA of data.
In order to ensure that CIA triad is preserved the auditor should look into the
following issues:
Confidentiality
i. A password policy should be designed keeping in view the criticality of
the application. It should contain parameters such as composition of user ID and
password, frequency of changing the password, minimum password length, etc.
The auditor should attempt to seek answers to following questions:
a. Are the users’ IDs unique and only one per user?
b. Are passwords difficult to crack?
c. Are there access control lists (ACLs) in place on network devices to
control who has access to shared data?
d. Are there audit logs to record who is accessing data?
e. Are the audit logs reviewed?
f. Are the system-generated passwords stored in the system?
g. Are the password generated algorithms protected?
h. Is there any limit for consecutive unsuccessful attempts to log-
on?
i. Is there a unique combination for user ID and password for a
user?
j. Are the users informed and asked to follow good security
practices in selection and use of passwords
ii. A formal procedure for registration of a user is in place.
iii. The allocation and use of privileges is restricted and controlled.iv. A formal policy and documented procedure for allotment of user ID is
in place.
v. The usage rights are reviewed at regular intervals and revised, if
necessary.
vi. Un-attended equipment is sufficiently protected.
Supreme Audit Institution, India15
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 16/25
Formulation of IT Auditing Standards
Integrity
vii. While reviewing the Application Controls the auditor should satisfy
himself in respect of input data validation, data processing validation, message
authentication, output data validation.
Availability
viii. Physical and Logical Access Security – The auditor should verify the
adequacy of controls for physical security of information system installations.
He should also review the logical security access controls, which include
classification of users and their level of access on the basis of segregation of
duties, password policy and validations controls.
Case study and examples
SAI India has in recent times taken up IT reviews of important applications
implemented in various departments of the Central as well as State Governments on
priority basis. Audit’s main concern has been to critically examine these systems to
ensure that the national and international best practices, standards, procedures are being
followed and to find out the impact of these initiatives on governance in general. A few
case studies and interesting cases, highlighted in the print media, have been placed in
the appendix. These case studies bring out various security lapses, which have been
observed in course of audit.
Conclusion
Information system security has gained importance with increase in use of Computer
Systems and proliferation of Internet. IS auditors have to play an important role giventhe strategic importance of information systems. Various institutions have attempted
and framed elaborate guidelines and standard practices to be adopted while conducting
a security audit. We have tried to capture the important issues that would form the basic
premise of any security audit standard to protect the confidentiality, integrity, reliability
and availability of information systems.
Supreme Audit Institution, India16
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 17/25
Formulation of IT Auditing Standards
References
1. 6th ASOSAI Research Project, IT Audit Guidelines
2. IS 15150 2002 issued by Bureau of Indian Standards3. Information Systems Security Hand book for Indian Audit and Accounts
Department, Office of the Comptroller and Auditor General of India, December
2003
4. Information Systems Control and Audit, Ron Weber
5. Information Security Policies made easy, Charles Cresson Wood
Supreme Audit Institution, India17
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 18/25
Formulation of IT Auditing Standards
Case Study 1
Review of Passenger Reservation System at Indian Railways
Indian Railways serve as the principal mode of passenger transport as ittransport about 11 million passengers per day of which 5.5 million travel on
reserved accommodation. In order to provide better services Indian Railways
implemented country wide Passenger Reservation System (PRS) networking
through the application software Countrywide Network of Computerized Enhanced
R eservation and Ticketing (CONCERT), which was initially implemented in 1985
in Delhi on pilot basis and later at Mumbai, Chennai, Kolkata and Secundrabad.
Apart from passenger reservation, CONCERT facilitates availability of Passenger Name Record (PNR) status and other journey planning information to the
public through various interfaces viz. Interactive Voice Response System (IVRS),
Touch Screens and Passenger Operated Enquiry Terminal (POET). All the five sites
have been networked using routers on communication lines leased from the
Department of Telecommunication.
The scope of Audit included study of individual modules and review of various
controls of the operational system at one of the sites.
Audit observations:
Operational System
1. Non-standardization of procedures for change management resulting in
erratic functioning of the application software.
2. Mismatch between Daily Terminal Cash Statement and Transaction Cash
Summary indicated lack of data integrity.
3. Incorrect calculation of the distances by the application software resulted
in short-levy of fares indicating lack of data reliability.
4. No documents of CONCERT software and its users manuals were
available.
5. The data was not properly backed up and there was no provision for off
site storage of data at an alternative location. In case of disaster, it wouls not
be possible to retrieve the data.
Supreme Audit Institution, India18
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 19/25
Formulation of IT Auditing Standards
Network controls
6. Improper working of Routers affecting reliable and smooth data transfer
among various sites.
Access controls
7. Non-provision of System logs for monitoring of modification of system
settings, database files and other important files by the authorized persons.
8. Non-adherence to accepted procedure in creation/ authorization of users
IDs/ privileges leading to risk of unauthorized access for amendment or
deletion of data. The User IDs of transferred/ retired employees were not
removed. Weaknesses in control mechanism leading to, refunds on tickets
reported lost, non-validation of inputs, etc.
Case Study 2
Review of eSeva – an e-Governance initiative
Government implemented a unique pilot project ‘e-seva’ as part of e-governance
initiative to provide speedy citizen services across the counter. The deliverables of the
system included – services like payment of utility bills, obtaining birth/marriage
certificates, filing tax returns, land registration etc without any restriction of location,
collect revenue relating to various departments, etc. The participating departments were
to allow access to their database, which was to be updated on a day-to-day basis after
the financial transactions were carried out. The three tier architecture comprised of
terminals and printers located at eSeva centers in the first layer; the second tier
consisted of web servers and firewall servers located at the City Data Centre and the
third tier consisted of departmental servers located at different departmental offices,
whose services were made available to citizens over the network.
Security Audit formed a part of the overall audit plan. An audit software tool—
IDEA (Interactive Data Extraction and Analysis) was used for carrying out the audit.
The findings of the audit are discussed in succeeding paragraphs.
The findings of audit in terms of breach of security are presented below –
Supreme Audit Institution, India19
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 20/25
Formulation of IT Auditing Standards
Operational Systems
1. Documentation relating to software, hardware, network, error handling,
etc. was incomplete.
2. Assets and data were not classified on the basis of risk perception.
3. Complete technical documentation including the source code was not
obtained. This made it impossible for identification of any unauthorized
programme running in the software application package.
4. There was no documented disaster recovery plan defining the roles,
responsibilities, rules and structures in the event of any disaster accidental or
otherwise.
5. No alternative site was identified for data centre activities in case of any
disaster.
6. Back-up procedure
- As against specified 17, only 2 back-up routers were available at the City
data centre.
- Back-up procedures were not defined in respect of offline transactions.
- In the absence of key personnel, no alternate arrangements were made to
handle contingencies.
- The back-ups of online data taken by the operator were not tested.
Network controls
7. No review of functioning of network management tools was undertaken
by the management to identify weaknesses.
8. There was a difference in number of transactions as reported by eSeva
and two participating departments which indicated that data transmission was
incomplete on some days.9. Protocol analyzers, essential for ensuring network security were not
used.
10. Data was not classified as per sensitivity and was transmitted in clear
text between eSeva centres to data centre instead of in an encrypted form. The
risk of splicing the wire and re-routing the data or tampering the data by way of
unauthorized access could not be ruled out.
Supreme Audit Institution, India20
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 21/25
Formulation of IT Auditing Standards
11. Technical experts did not test the reliability of firewalls. Penetration test reports
were also not produced to audit.
12. The logs of internet transactions were not maintained on a continuous
basis. They were neither archived nor reviewed.
Access Controls
13. There was an incident of theft, which indicated lack of physical security.
14. Password policy
- Password policy did not exist with respect to the eSeva application,
Oracle Database and operating system.
- There was no restriction on unsuccessful login attempts.
- The best practices followed in respect of password composition were not
followed.
- There was no system of maintaining emergency passwords, which had to
be kept in a sealed cover with responsible authority for use in unforeseen
situations.
- There was no documented well-defined procedure for creating user
accounts.
- The systems did provide for transaction logs, but did not provide for
audit trail, which could trace the flow of transactions and processing at
every stage.
- It was noticed that the application allowed deletion of data without
authentication.
Case Study 3
Review on the Billing system of a State Electricity Board
A State Electricity Board computerized its billing system using COBOL/Unix
Platform in 1981, which was subsequently re-engineered using RDBMS platform
(Oracle/Developer 2000) during 1997-2000 at a total cost of Rs.32.85 lakh. Considering
Supreme Audit Institution, India21
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 22/25
Formulation of IT Auditing Standards
that 60 per cent of the total revenue was generated from retail consumers, this system
handling billing and revenue realization was “mission critical” in nature.
The objectives of the Billing system were prompt generation of bills and speedy
redressal of customer grievances, incorporate frequent changes in business rules and
tariff, generating Management Information System (MIS) reports.
Audit findings
Operational System
1. Lack of formulated and documented IT policy – The board is yet to formulate
and document a formal IT policy and IT security policy.
2. There was no segregation of duties amongst the Systems Analysts,
Programmers and Assistant Programmers as all were having direct access to
live data and programs.
3. There was no policy regarding the identification and classification of the
data/programs of the Billing into critical, sensitive and confidential categories
based on Risk profile.
4. ‘Disaster Recovery and Business Continuity Plan’ was not drafted.
5. Although backups of billing data were being taken at periodical intervals, there
was no formal policy regarding the frequency of test checking the backups for
recovery. Neither the backups so obtained were tested periodically nor any
logs maintained to verify any such test checks.
6. The board had no documented formal policy related to change management
procedure covering control of the ongoing maintenance of system, standard
methodology for recording and performing changes. There was no system of
formal certification from the Board official.
Network controls
7. The programme changes in the system were sent to the various IT centers as
version patches through e-mail. However, no formal acknowledgement were
being obtained from all IT centers that all the patches had been received as sent
and uploaded in a timely manner. It was also observed that the proper version
patches were not uploaded and no proper validation checks were incorporated
in the Billing system to address the problem. Moreover sending the patches
Supreme Audit Institution, India22
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 23/25
Formulation of IT Auditing Standards
through Internet without proper encryption also entailed high risk of
interception and manipulation of tariff parameters.
Access Controls
8. Insufficient security features with respect to access control, passwords and
login control rendered the system vulnerable to unauthorized access and data
manipulation.
9. The accessibility at various levels of hierarchy was not defined resulting in risk of
unauthorized access and manipulation of data/program.
10. Mandatory Access Controls were not maintained by granting of privileges to
individuals based on "need to know" or "least privilege" basis. Majority of the
access controls were of a discretionary nature, which permitted system staff to
have access to database and vice versa.
11. There was no well-defined and documented password policy. The system did
not generate any logs to record the number of failed login attempts. The tables
containing the list of usernames, passwords were not encrypted and were
retained in text form thus rendering it vulnerable to misuse. The absence of
such basic controls regarding data security in a mission critical system with
huge revenue implication posed a serious threat to the application to both the
application and the data.
12. Physical security arrangements like fire/water detectors were not installed.
Also the back up data was stored at the front of main entrance and separated
only by a fiberglass partition, which made it vulnerable to theft.
Some interesting incidents of security breaches over the world
1. First cyber crime conviction – The CBI secured its first conviction in a cyber
crime when a designated court convicted an engineer on charge of defrauding an
American national of 578 Dollars by misusing her credit card through the web.
The engineer had admitted that he got the details from the US national during a
live chat on the internet at the call centre where he was a technical support
staffer. The accused, who attended to her call, allegedly managed to convince her
Supreme Audit Institution, India23
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 24/25
Formulation of IT Auditing Standards
to reveal her credit card number and other details on the pretext of updating her
billing information, although he was not authorized to obtain such information
from any customer.
2. Commission’s records missing – The hard discs of two computers kept in the
office of the Justice Nanavati Commission in the high-security Government
building were stolen over the weekend. The discs contained sensitive
information on the illegal and unauthorised colonies in Delhi after March 1993.
The commission had been enquiring into the same.
3. Cyber Attacks: It's time to act – A software engineering was caught red-handed
trying to sell the source code of a sophisticated software package. The US based
company had outsourced debugging of the package to a Mumbai-based
company, where this engineer worked—after finishing work on the project, the
engineer resigned and took the entire source code of the software with him. He
then approached other software companies in the US through e-mail,
announcing that he had the source code and expressing his keenness to sell it.
He’s since been booked under Sections 379 and 406 of the Indian Penal Code
and Section 66 of the IT Act.
4. Hacking of the Department of Customs and Central Excise Site
The Central Bureau of Investigation registered its first case on hacking when the
Department of Customs and Central Excise complained that its site had been
hacked into. Identified as the ‘Anti-India Crew’, the culprits had hacked into
more than 120 Indian sites. Fortunately, they managed only to deface the
homepage before the hack was detected. The case gained importance, as it was
for the first time that a government department had lodged a complaint about
hacking of its Website.5. Spamming for revenge
A 16-year-old school dropout was found guilty of spamming and sending
threatening e-mails. When a Web hosting company in the United Kingdom
complained of receiving thousands of Spam mails from India, CBI
investigations revealed that the youngster was an Internet addict, in the habit of
surfing and had made many virtual friends—and one of these virtual friends
Supreme Audit Institution, India24
8/3/2019 Audit India
http://slidepdf.com/reader/full/audit-india 25/25
Formulation of IT Auditing Standards
was a client of this UK-based firm. When these two fell out, the teenager chose
to spam the company whose client the ex-friend was. The CBI registered a case
under Sections 507 and 509 of IPC and Section 66 of the IT Act, 2000.
6. Cyber crime up, police found wanting
A case of suspected hacking of certain web portals and obtaining the residential
addresses from the e-mail accounts of city residents had recently come to light.
After getting the addresses, letters were sent through post mail and the recipients
were lured into participating in an international lottery that had Australian $ 23
lakhs at stake. Hundreds of city residents had received these letters and a large
number of them had to pay a price for getting hooked.
7. Leakage of CBSE paper in Delhi
The computer data entry operator attached with the senior official guessed the
password of the programme, where the question papers were saved in a file. He
managed to guess the Password after making a number of attempts. As the
password was the name of the daughter of the official it was easy to guess it.
Supreme Audit Institution, India25
top related